Privacy Policy
Last updated: 2026-06-10
The short version: we collect only what the game needs to work (your email, password hash and gameplay data). We use essential cookies only — no advertising, no analytics trackers, no social-media pixels — and we never sell or share your data for marketing.
1. Who is responsible
The Service is operated as a hobby project from Japan. For anything in this policy, contact contact@mtg-simulator.com.
2. Data we collect
- Account data: email address, a hashed password (argon2 — we never store or can see the plain password), display name, username, optional bio and avatar URL, profile visibility settings, and email-verification status.
- Gameplay data: your virtual budget, card collection, pack-opening history, marketplace listings and bids, trades, friends, streaks and leaderboard entries.
- Activity records: in-app actions (e.g. opening a pack, placing a bid) are logged with timestamps. Site administrators can view these logs to moderate the Service and investigate abuse.
- Technical data: standard web-server logs (IP address, user agent, requested URLs), kept briefly for security and debugging.
We do not collect payment data — the Service is free.
3. Why we process it
- To provide the Service (contract): accounts, login, gameplay, email verification and password resets.
- To keep the Service safe (legitimate interest): moderation, abuse prevention, security logging.
We send only transactional email (verification, password reset). No marketing email.
4. Where your data lives
Data is stored on Microsoft Azure servers in the Korea Central region, with encrypted backups handled by the operator. Access is restricted to the site operator.
5. Third parties
We do not sell data or share it with anyone for marketing. The only parties that technically process data are:
| Party | What they receive | Why |
|---|---|---|
| Scryfall (scryfall.com) | Your IP address and the card images your browser requests | Card images load directly from Scryfall's servers |
| Our email (SMTP) provider | Your email address and the message content | Verification and password-reset emails |
| Microsoft Azure | All data (hosting infrastructure) | The Service runs on Azure |
| Donation provider | Nothing — unless you click the donate link, after which their own privacy policy applies | Voluntary donations (external site) |
6. Cookies and browser storage
We use strictly necessary cookies only, which is why we show a notice rather than ask for consent — there is no optional tracking to consent to.
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
| authjs.session-token | Cookie (httpOnly) | Keeps you signed in | 30 days |
| authjs.csrf-token | Cookie | Protects forms against cross-site request forgery | Session |
| authjs.callback-url | Cookie | Returns you to the right page after signing in | Session |
| cookie-notice-ack | localStorage | Remembers that you dismissed the cookie notice | Until cleared |
| packOpeningMode | localStorage | Remembers your preferred pack-opening animation | Until cleared |
| donate popup flag | sessionStorage | Shows the welcome/donation popup at most once per visit | Browser tab session |
If we ever add analytics or advertising, this section will change and we will ask for consent first.
7. Retention
- Account and gameplay data: kept while your account exists.
- Verification and password-reset tokens: deleted after use or expiry (at most a few hours).
- Server logs: rotated within a few weeks.
- Database backups: retained for a limited period and then deleted on rotation.
8. Your rights
You can view and edit most of your data directly in your profile. In addition — and where GDPR or similar laws apply, as a legal right — you can ask us to access, correct, export or delete your data by emailing contact@mtg-simulator.com from your registered address. Deletion removes your account and associated gameplay data; we aim to complete requests within 30 days. EEA/UK users also have the right to lodge a complaint with their supervisory authority.
9. Children
The Service is not directed at children under 13 (or under 16 where a higher age applies), and we do not knowingly collect their data. If you believe a child has created an account, contact us and we will delete it.
10. Changes
We will update this policy if our data practices change and announce material changes on the site. See also our Terms of Service.